Splunk® Enterprise

Release Notes

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Welcome to Splunk Enterprise 9.0

If you are new to Splunk Enterprise, read the Splunk Enterprise Overview.

For system requirements information, see the Installation Manual.

Before proceeding, review the Known Issues for this release.

Splunk Enterprise 9.0 was released on June 14, 2022.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Enterprise, read How to upgrade Splunk Enterprise in the Installation Manual for information you need to know before you upgrade.

See About upgrading: READ THIS FIRST for specific migration tips and information that might affect you when you upgrade.

The Deprecated and removed features topic lists computing platforms, browsers, and features for which Splunk has deprecated or removed support in this release.

What's New in 9.0

New Feature or Enhancement Description
Ingest Actions A new user interface that enables admins to quickly author, preview, and deploy ingest-time rules for filtering, masking, and routing events. See Use Ingest Actions to improve the data input process.
  • Admins can upload their own file (5GB limit) or copy/paste event logs as the source of preview data in the ruleset authoring environment.
  • Admins can route events to AWS S3, or to both Splunk indexing and AWS S3.
  • Admins can choose to route a copy of the data to an external destination and continue to process events before indexing.
  • Admins can create and configure an S3-compliant external destination for routing events using Splunk Web.
  • Admins can see a preview of events that are unaffected by a particular rule in the ruleset authoring environment.
  • Admins can see a preview of the configuration stanzas inside props.conf and transforms.conf that will be updated or added upon rule deployment.
  • Ruleset creation and management is now supported on Deployment Server to heavy forwarders. Rulesets that are created on the Deployment Server using the Ingest Actions UI will write directly to Deployment Apps folder upon Save and automatically trigger a reload of the Deployment Server.
Splunk Assist Splunk Assist brings the power of Splunk Cloud Platform management insights to self-managed Splunk Enterprise deployments to analyze and continually evaluate security posture, alerting administrators with cloud-powered recommendations to change configurations and make necessary updates to Splunkbase apps to enhance security.

Splunk Assist is a fully managed cloud service that provides deep insights into the security posture of Splunk Enterprise deployments. Customers can apply configuration best practices that are consistent with how Splunk manages Splunk Cloud Platform for some of the largest and most complex deployments. See About Splunk Assist.

Indexer cluster manager redundancy To achieve cluster manager high availability, you can deploy two or more cluster managers in an active/standby configuration. You can configure the managers to support either automatic or manual failover. See Implement cluster manager redundancy.
SmartStore support for Azure Support for SmartStore using Azure Blob service. This support integration will help Splunk Enterprise customers looking for Azure as part of their multi cloud delivery option. See SmartStore system requirements.
Role-based field filtering (Preview feature) Control who can see your sensitive data. Use field-level filtering and obfuscation at search-time to limit access to confidential information for certain roles by redacting or obfuscating fields in events within searches. See Protecting PII and PHI data with role-based field filtering.
Migrate KV store storage engine and server version from 3.6.x to 4.2 To take advantage of the most up-to-date KV Store in this latest release, Splunk Enterprise 9.0 comes with a set of tools to guide the upgrade of your KV store server version to v4.2, as well as the migration of your KV Store storage engine. These updates are required in Splunk Enterprise 9.0. See Migrate the KV store storage engine in the Admin manual to plan your migration.
Upgrade Readiness App version 4.0.0 Splunk Enterprise 9.0.0 includes version 4.0.0 of the Upgrade Readiness App. See About the Upgrade Readiness App.
Integrate jQuery into Upgrade Readiness App The Upgrade Readiness App now provides jQuery and Python 3 support to keep all apps working appropriately in future Splunk versions when old libraries are deprecated. Cloud admins can request new default Python versions within the Upgrade Readiness App. The Upgrade Readiness App is the newest version of the Python Upgrade Readiness App shipped in previous releases.
Configuration Change Tracker index Splunk Enterprise enables you to track .conf file changes at the filesystem level with the new index _configtracker. The new auditing capability includes the tracking of .conf files, as well as their underlying stanzas and key-value pairs, to improve root cause analysis and troubleshooting. See Configuration Change Tracker in the Troubleshooting Manual.
Upgrade of default TSIDX compression level For improved performance and reduced storage, the default tsidxWritingLevel is changed from 2 to 3. See The tsidx writing level in the Managing Indexers and Clusters of Indexers manual.
TSIDX compression for SmartStore indexes This feature adds a flag to enable compression of TSIDX files for SmartStore indexes. TSIDX files will be compressed and stored in AWS S3 using the zstd format. TSIDX files will be uncompressed when downloading from AWS. This feature is intended to reduce storage costs and network costs and improve search times. See Compress tsidx files upon upload to S3.
Configure health report email alerts in Splunk Web This enhancement enables admins to setup Health Report email alerts using the Splunk Web user interface. See Set up health report alert actions in the Monitoring Splunk Enterprise manual.
Health Report config tuning Health Report includes new indicators that are based on customer issues that were caused by inaccurate config parameters. The new indicators alert you to potential configuration issues so you can correct them before they become problems.
Monitor forwarder ingestion latency in health report The ingestion latency feature in the health report lets admins monitor whether forwarders in their distributed Splunk Enterprise deployment have fallen behind due to ingestion latency. The "Ingestion Latency Reported" status is displayed in the Splunk health report. For more information, see Supported features in the Monitoring Splunk Enterprise manual.
Health Report updates Health Report is updated with the following usability improvements:
  • New descriptions of what is being monitored and how indicator thresholds determine health status.
  • Admins can temporarily suppress the monitoring and alerting of a specific Health Report feature.
Bucket Merge functionality for clustered peer instances Cluster peer performance and stability increasingly suffers as the number of buckets increases. Additionally, several activities like service restarts can cause a side effect of multiplication of small buckets. The new cluster-merge-buckets command provides a self-service capability for administrators to manage the merging of buckets. See cluster-merge-buckets in Command line tools for use with Support in the Troubleshooting Manual.
Dashboard Studio Dashboard Studio has several enhancements this release, such as setting tokens from search results or search job status, passing tokens from one dashboard to the next, and new cluster maps. For a comprehensive list of new features and enhancements, see What's new in Dashboard Studio in the Splunk Dashboard Studio manual.
Dashboards: Bulk migration from viz.<type> to splunk.<type> Users can now update their dashboard visualizations with one click. These updated visualizations provide greater flexibility and configurability.
Dashboards: Block access to inline style sheets Users now receive a message to reference external style sheets instead of inline styles in Simple XML dashboards for improved maintainability.
Restriction of jQuery 2 libraries Administrators can now restrict vulnerable jQuery libraries using a toggle available in the Settings UI. Note that restricting these libraries does not require a Splunk restart. See Control access to jQuery and other internal libraries.
Audit improvements for knowledge objects This feature enhances the existing auditing framework to provide customers with insights on the lifecycle of knowledge objects saved search, reports, and alerts through clear audit loggings that provides who created, updated, or deleted the knowledge object and at what time.
Federated Search for Cloud to OnPrem deployments Enables customers to get insights across Splunk Cloud and On-prem Splunk deployments with search initiated from Splunk Cloud.
Federated Search enhancements to improve hybrid-to-federated migration experience - Transparent mode Introduces transparent mode federated providers, which allow existing hybrid search customers to migrate smoothly to federated search. See Migrate from hybrid search to federated search.
Federated search UI enhancements This release includes the following enhancements to the Federated Search UI:
  • Removed the ability to enable or disable Local knowledge objects for federated providers. This functionality, which controls bundle replication of knowledge objects from the federated search head on the local Splunk deployment to the remote search head on the federated provider, is now set up so that it applies only to transparent mode federated providers.
  • Updated the related Application short name functionality, which now applies only to standard mode providers.

See About federated search.

Federated search support for data model datasets, data model acceleration, and the tstats command. Enables federated searches over data model datasets in both standard and transparent mode. You can now use the tstats command to search over accelerated data model datasets. See Create a federated index and Run federated searches.
Federated search command enhancements for Standard mode Federated searches can now use the lookup command. See Run federated searches.
Federated search Consent UI plan Enables customers to leverage federated search with compliant environments. Added checkboxes to the UI that require administrators to acknowledge that enabling federated search from deployments with lower regulatory compliance to deployments with higher regulatory compliance might compromise that compliance. See Service accounts and federated search security and Define a federated provider.
Replacement of existing MMDB file shipped with Splunk Enterprise With the release of Splunk Enterprise 9.0, the default provider and associated lookup file for the "iplocation" search command has changed. If you use the "iplocation" command with the "allfields=true" option, you will see a difference in the output fields. Both "Timezone" and "MetroCode" fields are removed. As an alternative, customers may upload and use their self-licensed MMDB file, provided it is in a compatible format of MMDB.
Enhancements to the foreach command for multivalue fields and JSON arrays Now in addition to obtaining search results across multiple fields in each result row, you can use the foreach command to iterate over multiple values within a single row's field in multivalue fields or JSON arrays. See foreach in the Splunk Enterprise Search Reference.
Automatic setup of assets in monitoring console The monitoring console now features an option to automatically build and maintain the list of assets (nodes) for representation in the monitoring console, especially as assets are added and evicted.

See Enable automatic distributed mode configuration in Monitoring Splunk Enterprise.

Update to Splunk Secure Gateway App Splunk Secure Gateway lets you manage your Connected Experiences (Splunk Mobile & Splunk AR) mobile app deployments and register devices to a Splunk instance. With the latest updates to Splunk Secure Gateway, we've given you the ability to unlock admin insights, configure your region and highly customize your mobile experience. In addition, we've made it even easier to register and manage your connected devices.
Semantic versioning of APIs New Semantic Versioned endpoints of the Search API are being introduced to improve platform contracts and resiliency to platform updates. A deprecation period will be announced to allow customers to update the usage of these endpoints to the new API version.
Universal forwarder: Collect MacOS Unified Logging data Universal forwarder supports the new log sources standard for MacOS using the logd input. See Forward data with the logd input.
Universal forwarder: Configuration changes are logged by default The config_change_tracker setting in server.conf logs all configuration changes by default. Any configuration setting changes detected during universal forwarder restarts are added to configuration_change.log as described in What Splunk software logs about itself.
Universal forwarder: Managed Service Accounts supported for Windows installations During CLI installations, you can now specify a Managed Service Account (MSA) name or Group Managed Service Account (gMSA) name. See Install the universal forwarder in low-privilege mode.
Universal forwarder: Automatic password generation support for Windows installations. Universal Forwarder for Windows now provides the option to automatically generate a password at installation time. See Install a Windows universal forwarder from an installer.
Universal forwarder: Least-privileged user creation for Linux installations By default, the universal forwarder installer creates a least-privileged user. The least-privileged user runs as non-root user with the minimum necessary privileges needed to manage the universal forwarder. See Secure your Linux universal forwarder by installing in least privileged mode.
Universal forwarder: limit access to port 8089 by default The default setting for mgmtHostPort in web.conf is mgmtHostPort = localhost, with the localhost = for ipv4 and ::1 for ipv6. This means that the external servers cannot access the management port and that REST API calls to the universal forwarder from external servers will fail. You can disable this by setting disableDefaultPort=true in server.conf.
Workload Management: Ad hoc search quota control
You can now create admission rules to limit the number of concurrent ad hoc searches, which can help to ensure that search slots remain available for critical scheduled searches.

See Configure admission rules to prefilter searches in the Workload Management manual.

Workload Management: Enhanced wildcard support in workload rules This enhancement gives you more flexibility when creating workload rules and admission rules by adding wildcard support for the following predicates: index and role. For example, you can now create rules such as index=prod* or role=support_*.

See Configure workload rules in the Workload Management manual.

Risky commands restrictions New run_custom_command, run_dump, and run_sendalert capabilities have been added to restrict the execution of risky commands to selected roles. See SPL safeguards for risky commands in Securing Splunk Enterprise.
New ipmask(<mask>,<IP>) conversion function This function generates a new masked IP address by applying a mask to an IP address through a bitwise AND operation. See ipmask(<mask>,<IP>) in the Splunk Enterprise Search Reference.
Removed biased language Biased language has been removed from the licensing components of Splunk Enterprise, in keeping with Splunk's commitment to equality in our actions and products.

Additionally, the master-apps directory, used to distribute updates to indexer cluster peer nodes, has been replaced by the manager-apps directory with identical functionality. So as not to break existing deployments, numerous safeguards are provided. For details, see Which directory to use: manager-apps or master-apps?.

What's New in

Splunk Enterprise was released on July 20, 2022. It resolves the issue described in Splunk Enterprise Fixed issues.

What's New in 9.0.1

Splunk Enterprise 9.0.1 was released on August 16, 2022. It delivers relevant fixes described in the August 16, 2022 quarterly security patch on the Splunk Product Security page. This release also introduces the following enhancements and resolves the issues described in Fixed issues.

Enhancement Description
Ingest Actions enhancements
  • Set Index capability in Ingest Actions rulesets
  • New health report indicator: S3 Output
  • Security fixes
Dashboards: Warn users when they are leaving Splunk via custom URL drilldown For improved security, users are now prompted to acknowledge any time they're being redirected to a link outside of their deployment.

What's New in 9.0.2

Splunk Enterprise 9.0.2 was released on November 1, 2022.

New Feature or Enhancement Description
Ingest Actions multiple S3 bucket destinations Ingest Actions now supports routing to more than one S3 destination. The creation of a maximum of four S3 destinations is currently supported.
Ingest Actions S3 output configuration without rolling restart Ingest Actions supports creating, editing, and deleting a new S3-compliant destination without triggering a rolling restart (indexer clustering bundle push).
Common access card (CAC) / Personal Identity Verification (PIV) authentication CAC/PIV authentication is natively supported on Splunk Enterprise version 9.0.2 and higher search heads. See Configure Splunk Enterprise to use a common access card for authentication.

What's New in 9.0.3

Splunk Enterprise 9.0.3 was released on December 14, 2022.

New Feature or Enhancement Description
The rex function The rex function in default mode now treats the caret ( ^ ) properly. For example, the following search extracts 192..

| makeresults | fields - _* * | eval ip_input = "" | rex offset_field=offset max_match=0 field=ip_input "^(?<extract>\d+\.)" | table ip_input extract offset

Previously, the following search with the regular expression ^(?<roles>\S+)\n* incorrectly returned three rows.

| makeresults | eval roles="ess_analyst ess_correlation_engineer<br><br/> user" | rex max_match=0 field=roles "^(?<roles>\S+)\n*"

Now that the behavior of the caret ( ^ ) has been fixed, the same search returns one row of results. in order to generate three rows of results like before, the regular expression in the search must be changed to (?m)^(?<role>\S+), like this:

|makeresults | eval roles="ess_analyst ess_correlation_engineer user" | rex max_match=0 field=roles "(?m)^(?<role>\S+)"

The results of the search look something like this:

_time role roles
2023-05-19 21:18:57 ess_analyst




New flag to enable translation of user content. A new flag in web-features.conf enables translation of user content in Simple XML dashboards.
Warning for use of S2S V3 or lower. Warning for use of S2S V3 or lower.
Migration script to update all v=null dashboards to v=1.1 When Splunk is upgraded/starts up, update Simple XML dashboards where no version attribute is specified to v=1.1

What's New in 9.0.4

Splunk Enterprise 9.0.4 was released on February 14, 2023. It delivers relevant fixes described in the February 14, 2023 quarterly security patch on the Splunk Product Security page. This release also introduces the following change and resolves the issues described in Fixed issues.

The search_listener request parameter for the Splunk REST API search/jobs endpoint is disabled.

What's New in

Splunk Enterprise was released on March 17, 2023. It resolves the issue described in Splunk Enterprise Fixed issues.

Last modified on 13 October, 2023
  Known issues

This documentation applies to the following versions of Splunk® Enterprise: 9.0.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters